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| Section | Change 


Various | Client comments incorporated. 


Hold Section Description 


1 Deleted 
2 Deleted 
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ABBREVIATIONS 
CED Cause & Effect Diagram 
EGPC Egyptian General Petroleum Company 
IL Integrity Level 
IPF Instrumented Protective Function 
EPC Engineering, Procurement & Construction 
ESD Emergency Shut Down 
F&G Fire and Gas 
FEED Front End Engineering Design 
GOGC Genesis Oil and Gas Consultants Ltd 
HAZOP Hazard and Operability 
HP/LP High Pressure / Low Pressure 
HS&E Health, Safety and Environmental 
KPC Khalda Petroleum Company 
LOPA Layers Of Protection Analysis 
P&ID Piping and Instrumentation Diagram 
PFD Probability of Failure on Demand 
PMC Project Management Contractor 
PSV Process Safety Valve 
SAMS Safety Action Management System 
SOL Start Of Line 
SIL Safety Integrity Level 
SIMOPS Simultaneous Operations 
TOR Terms Of Reference 
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1 INTRODUCTION 


1.1 Project Background 

Qasr is a large, normally pressured gas-condensate reservoir located in the Western 
Desert of Egypt approximately 525 km west of Cairo. The field is operated by Khalda 
Petroleum Company (KPC), a joint venture between Apache Corporation and 
Egyptian General Petroleum Company (EGPC). 


Figure 1-1 Qasr Development Location 
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Oasr— 525 Km West of Cairo 


Field production is initially handled at the Start of Line (SOL) Qasr Plant. After initial 
treatment (cooling and water removal) the gas/condensate is exported to a 
combination of the Salam, Tarek and Obaiyed gas plants for further treatment. 


The Qasr gas and condensate currently free flows from the wellheads through the 
Qasr Phase | and Phase II facilities and export pipelines to the SHAMS manifold and 
Salam gas plant under reservoir pressure. As the reservoir pressure declines the 
peak gas rate of 800 mmscfd will no longer be achieveable. The Qasr Compression 
Project is designed to improve recovery as the reservoir production rate and 
pressure decline. 


The Qasr Compression Project scope comprises: 
e Gas turbine driven single stage compressor sets 
e Condensate export pumps 
e Power generation 
e Utility systems 
1.2 Purpose 
This Terms of Reference (TOR) document for the Safety Integrity Level (SIL) 


workshop for the Qasr Compression Project has been prepared to ensure a common 
understanding by all parties involved prior to commencement of the study. 
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A number of measures are to be used on the Oasr Compression Project facilities to 
control the process risk (safety, environmental and financial). Some of these 
measures are to be implemented using Instrumented Protective Functions (IPF). The 
degree of reliance on these IPFs, to control the risk to a tolerable level, is to be 
established by categorising the Safety Integrity Level (SIL) required for each IPF. 


This assessment is to be done in line with guidance provided in IEC 61511 (Ref. 1- 
3), and is to use the calibrated Risk Graph approach (see Appendix A). This 
approach relies on grading a number of parameters that describe the nature of the 
incident and its potential impact on risk: 


° Consequence severity (no. of people affected & vulnerability); 
° Personnel exposure; 
° Alternatives to avoid danger; and 


e Demand rate. 


The grading is to be carried out without taking credit for the IPF so that the criticality 
of the IPF can be established. 


13 Scope 


The review shall assess all the IPFs included in the design of the Qasr Compression 
Project FEED to protect against, or to mitigate the consequences of unplanned 
deviations from normal operating conditions that affect safety, environmental and 
financial from process elements and hazardous utilities. The IPFs shall be identified 
from the ESD Cause and Effect matrices, cross-checked against the HAZOP and the 
P&IDs 


Non-hazardous utilities, spurious trip integrity affecting production loss (revealed 
failures) and loops with manual initiation are not within the scope of the study. 


This document is structured as follows: 


Section 2: Details the time, date and location of the SIL study and includes a list of 
attendees 

Section 3: Lists the documentation required for the SIL study 

Section 4: Describes the SIL methodology 

Section 5: Details the requirements of the SIL report 


A description of the Risk Graph method is described in Appendix A. 
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1.4 Terminology 


The word “shall” is to be understood as a mandatory requirement. 
The word “should” is to be understood as strongly recommended. 


The word “may” is to be understood as an action to be undertaken at the 
SUPPLIER’s discretion. 


15 Definitions 


For the purpose of this document, the following definitions apply: 


COMPANY The Khalda Petroleum Company (KPC) 
ENGINEER Genesis Oil and Gas Consultants (GOGC) 
CONTRACTOR EPC Contractor 
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2 PLANNING 


As a prerequisite to the study, the typical Risk Graph in IEC 61511 needs to be 
calibrated to satisfy the risk control requirements of KPC. This needs to be done 
before the workshop meeting, by KPC’s review of the draft Risk Graph in Section 
4.2, Figure 4-1. 


2.1 Timing and location 


The SIL study will take place on the 11" October 2011 
London 


Timing: 
Location: 
The following facilities will be provided: 


° Sufficient room and tabletop lay down area for team members to deploy 
drawings and documents; 


° Marker pens for the team; 
° A flipchart to allow presentations and explanations to be made; 
° Wall area to pin up master copies of drawings; and 


° PC & PC projector. 


2.2 Study members 


Name Position 

1 Sukhi Dhanjal SIL Chairman 

2 Leigh Smith Scribe 
KPC 

3 Ayman Saleh Project Manager (Part-time) 

4 Samir Saad HSE 

5 Farrag AbdelKader Process 

6 Ibrahim Hammad Process 

7 Mohamed Ismail Control & Instrument (Part-time) 
PMC 

8 Somu Janarthanan Process 

9 Hadi Moallemi Control & Instrument (Part-time) 
GOGC 

11 Himanshu Mohorikar Process 

12 Eric Matthews Control & Instrument (Part-time) 
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3 DOCUMENTATION 
This section outlines the documentation to be reviewed in the SIL study. 
Table 3-1 P&IDs 
Drawing Number Title 
JO8509A-P-DW-12201 Process Legend Sheet 1 
JO8509A-P-DW-12202 Process Legend Sheet 2 
JO8509A-P-DW-12203 Process Legend Sheet 3 
JO8509A-P-DW-12204 Process Legend Sheet 4 
JO8509A-P-DW-12210 Gas manifolds 
JO8509A-P-DW-12215 Condensate manifolds 
JO8509A-P-DW-12211 Compressor Suction Drum and Pump Train A 
JO8509A-P-DW-12212 Compressor TrainA 
JO8509A-P-DW-12213 Compressor Discharge Cooler Train A 
JO8509A-P-DW-12214 Compressor Discharge Drum Train A 
JO8509A-P-DW-12221 Compressor Suction Drum and Pump Train B 
JO8509A-P-DW-12222 Compressor Train B 
JO8509A-P-DW-12223 Compressor Discharge Cooler Train B 
JO8509A-P-DW-12224 Compressor Discharge Drum Train B 
JO8509A-P-DW-12250 Condensate Suction Drums A 
JO8509A-P-DW-12254 Condensate Suction Drums B 
JO8509A-P-DW-12251 Condensate Booster Pumps A, B & C 
JO8509A-P-DW-12252 Condensate Export Pumps A, B & C 
JO8509A-P-DW-12261 Flash Gas Compressor A (Future) 
JO8509A-P-DW-12262 Flash Gas Compressor B (Future) 
JO8509A-P-DW-12300 Instrument & Utility Air 
JO8509A-P-DW-12301 Inert Gas System 
JO8509A-P-DW-12302 HP Fuel Gas (Flash Gas) FEED 
JO8509A-P-DW-12303 HP Fuel Gas (Process Gas) FEED 
JO8509A-P-DW-12304 Start Up HP Fuel Gas 
JO8509A-P-DW-12305 HP Fuel Gas KOD 
JO8509A-P-DW-12306 Mercury Removal Unit (MRU) 
JO8509A-P-DW-12307 HP Fuel Gas Superheater and Filters 
JO8509A-P-DW-12308 LP Fuel Gas System 
JO8509A-P-DW-12309 HP Flare Collection 
JO8509A-P-DW-12310 LP Sources to Cold Vent Collection 
JO8509A-P-DW-12311 Closed Drain 
JO8509A-P-DW-12312 Power Generation 
JO8509A-P-DW-12313 Diesel System 
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Table 3-2 Cause & Effects Diagrams 
Drawing Number Title 
JO8509A-J-CF-16030 ESD Cause & Effects Diagrams 
JO8509A-J-CF-16040 F&G Cause & Effects Diagrams 
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4 METHODOLOGY 


4.1 General 


A pre-requisite to the SIL assessment in IEC 61511 is that all the required IPFs have 
been identified by a preceding hazard and risk analysis. For all the IPF’s included in 
the design of the the Qasr Compression Project, this has been achieved by a 
combination of past experience of designing such systems (as allowed by Ref. 2). 


The approach to SIL assessment is to be based on IEC 61511, using a calibrated 
risk graph method. Separate risk graphs are to be used for safety, environmental 
damage and financial loss. 


SIL 4 systems would be regarded as unacceptable and if determined additional 
means of protection shall be required to reduce the SIL to an acceptable value. 


Any required SIL identified to be level 2 or higher shall be confirmed using a more 
detailed quantitative approach (for example LOPA), during detailed design. 


4.2 Study Scope 


4.2.1 Inclusions 


The review shall assess all the IPF’s included in the design of the Qasr Compression 
Project FEED to protect against, or to mitigate the consequences of unplanned 
deviations from normal operating conditions that affect safety, environmental and 
financial risk from: 


° Process Elements; 
° Hazardous utilities. 


The IPFs shall be identified from the ESD Cause and Effect matrices, cross-checked 
against the HAZOP and the P&IDs. 


4.2.2 Exclusions 


These included: 


° Permissives (e.g. instruments that allow a control action to occur, or 
prevent a control action from occurring; 


° Inputs from the existing Qasr facilities; 
° Inputs from the Fire & Gas system on the new facilities; 
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° Vendor packages (for which no information is shown on the P&ID); 
° Spurious trip integrity affecting production loss (revealed failures); 
° Loops with manual initiation; 

4.3 Study Approach 


In order to limit the number of IPFs to review, the study should initially screen 
systems with zero or limited potential for safety, asset or environmental loss. 


The assessment process involves several repetitive steps for each of the IPF loops: 


1. Identify loop (record tag and P&ID No.); 


2. Determine functionality of loop and potential hazard(s) being protected 
against; 

3. Identify causes for demand; 

4. Evaluate potential consequences (without risk reduction measures); 

5. Determine Safety IL with Risk Graph (Figure 4-1) using the following 
parameters: 


e Consequence Severity (no of people exposed + vulnerability); 
e Personnel Exposure (fraction of time exposed); 

e Alternatives to avoid danger; and 

e Demand rate; 

Determine IL for environmental loss based on E; 

Determine IL for financial loss based on F; 

Required IL to be the highest of the three (S, E, F); 

Adjust IL if same risk is limited by other independent measures 
e Take the value of SIL derived in steps 1-8; 


e Identify independent risk reduction measures & adjust IL (PSV up to 2, 
F&G gas detection for safety=1, etc.); 


10. Record the results and any associated assumptions or actions; and 
11. Repeat steps 1 to 10 for each of the IPF loops. 


Dm =! 
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Figure 4-1 Risk Graph 
Risk Graph 
Consequence Severity Personnel Exposure Alternatives to Avoid Danger |Demand Rate 
(if the protection fails) 
Slight Injury SI |Not applicable NA |Not applicable NA |High 0.3 - 3yrs H 
Serious Injuries or 1 Death 1D |Rare (<10% of time) R Possible P Low 3 -30 yrs L 
Multiple Deaths MD |Frequent F Not Likely NL |Very Low 30yrs+ VL 
Catastrophic C 
(“10 deaths use quantified) 
NB: If demand rate is Normal mode of 
related to occupancy P should only be selected if control / cause of 
Environmental E then use F all the following are true: demand 
1. The operator will know the 
Financial / Reputation F protection has failed Operator H 
2. Independent means of 
shutting down are provided PCS L 
3. There is sufficient time for 
the operator to respond prior 
To the hazardous event 
occurring. ESD / SSDS VL 
Consequence Type 
SAFETY (S) 
High Low Very Low 
a 0 0 0 
P 
R 1 0 0 
2 1 0 
1D 
2 1 1 
NL 
3 2 1 
R 
MD 3 3 2 
F 
4 3 3 
C 
4 4 4 
Conseguence Type 
ENVIRONMENTAL (E) 
Reportable Release RR 1 0 0 
Major temporary environmental 
impact (up to 3 months) MT 2 1 0 
Major longer term environmental 
impact (> 3 months) MP 3 2 1 
Consequence Type 
FINANCIAL (F) 
<$1M <M 1 0 0 
=$1M<$10M MM 2 1 0 
>$10M >M 3 2 1 


Note: If wholly independent mechanical protection (e.g. PSV), or a wholly independent high integrity protection system (HIPS) specified to meet 
or exceed the requirements of SIL 3, is available and provides total protection against the scenario under consideration, the resulting SIL target 


for the protective system in question can be reduced by 2. 


For example: 


SCENARIO: Overpressure protection provided by ESD loop (PT, logic solver and valve) and PSV, either one operating will prevent the hazard 


occurring. 
RISK GRAPH TARGET: SIL target for ESD loop as per the above risk graph is SIL 3. 


ACTUAL TARGET: SIL target for the ESD loop taking into account the added protection provided by the PSV is 3 - 2 = SIL 1. 
SIL LEVELS: SIL 1 (PFD 0.1 — 0.01); SIL 2 (PFD 0.01 — 0.001); SIL 3 (PFD 0.001 — 0.0001); SIL 4 (PFD 0.0001 — 0.00001). 


Genesis Oil & Gas Consultants Ltd Page 14 of 25 
File name: JO8509A-F-HA-20056 Rev D1 SIL Terms of Reference.doc 


Date: 
Rev: 


Sep 2011 
D1 


SIL Terms of Reference Si 


GENESIS 
Qasr Compression Project FEED = 
4.4 Study Recording 
The study shall record: 
° IPFs excluded (template Table 4-1); 
° IPFs examined (template Table 4-2); 
° IL assessment (worksheets template Table 4-3). 
Table 4-1 IPFs Excluded (template) 
Tag Number P&ID Reason for Exclusion 
Table 4-2 IPFs Examined (template) 
Work Sheet No. Instrument Tag Detected Condition P&ID 
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Table 4-3 IL Assessment Worksheet (template) 


IL Assessment worksheet 
Trip: 

System No: Area: 
System Name: P&ID No: 
Hazard Description: 

Hazard Assessment Process: 

IL MEETING Chairman: 

Or other (specify): Date: 

Events leading to the hazard Event Frequency 


1 

2 

3 

4 

With no protection. 

Functional requirements necessary to 
prevent hazard: 


Process condition detected by: 


Final actuation device(s) necessary to 
prevent hazard: 


Functional requirements for orderly 
shutdown and start-up: 


Method of Determining required integrity levels 
Safety Asset Loss Environmental Loss 


Consequences 

Exposure Time (R or F) 
Avoidance Probability (P or NL) 
Demand Rate (H, L, VL) 


Integrity Required 


Other Protection Systems: 
Overall Integrity Required: None 


Consequences of Spurious Trip 
Assumptions: 

1 
2 
3 
4 
Recommendations 
1 
2 
3 
4 
Document No. Sheet No. Sheet Revision: 
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5 ISSUE OF REPORT 

The worksheets will be reviewed on screen with all team members at the point of 
entry; all actions should be complete, readily understood and agreed by the study 
team. 

The Chairman shall record the review actions in the formal Report with 
recommendations that will be tracked and managed by the projects Safety Actions 
Management System (SAMS). 


5.1 Report Format 


The Report should conform to the following structure: - 


1. Summary Usually no more than a page, highlighting major concerns. 
2. Contents List 
3. Introduction This section should include: - 


e Reference to the Terms of Reference 
e Scope of the Study 
e List of Study Team Members 


e Study Session Date(s) 


4. Methodology This section should describe the study methodology followed 
for the SIL study, identify any difficulties in meeting the 
Terms of Reference, and include recommendations for 
further studies to be addressed. 


5. Major findings This section should include a summary table of Integrity 
Levels against Initiator Tag Nos. 


6. References This section should include: - 


e List of nodes references 


e All other documentation referenced during the study 


7. Review All SIL worksheets 
worksheets 
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Assumptions made in the workshop regarding loops not previously identified in the 
CEDs shall be confirmed in future CEDs. The report shall make specific 
recommendations to these additional trips which can then be tracked through the 
SAMS action tracking system. 


5.2 Further Work 


Any required IL identified to be level 2 or higher shall be confirmed using a more 
detailed quantitative approach, during detailed design to more accurately assess the 
loops’ requirements and criticality. 


Where loops are identified as not requiring a specific Integrity Level, consideration 
should be given to removing them from the ESD system and transferring the I/O to 
the process control system. The aim of this is to preserve the ESD system for critical 
shutdown loops only. 


Loops with manual initiation are typically not assessed during a FEED SIL 
Assessment workshop, due to the uncertainties surrounding the human element. 
The detailed design should consider how such loops can be verified as achieving the 
necessary integrity downstream of the manual input, e.g. blowdown push-button 
loops. 


5.3 Safety Action Management System (SAMS) 


To ensure that the key study actions and recommendations are captured and 
tracked to completion, GOGC will implement a SAMS register in accordance with the 
GOGC procedure (CON-PR-460, Ref. 4). 


This register will list all actions arising from the HAZID / HAZOP / SIL workshops ina 
simple spreadsheet format for action and information. It will also include all 
recommendations for further work contained in any formal safety studies and any 
HS&E concerns formally raised by discipline engineers. The register will indicate the 
status of all actions at the end of FEED and where these actions have been 
addressed in the project documentation. 


All outstanding pre-FEED actions will also be tracked. 
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6 REFERENCES 


1. BS IEC 61511-1, Functional Safety — Safety instrumented systems for the 
process industry sector — Part 1: Framework, definition, system, hardware and 
software requirements 

2. BS IEC 61511-2, Functional Safety — Safety instrumented systems for the 
process industry sector — Part 2: Guidelines for the application of BS IEC 
61511-1 

3. BS IEC 61511-3, Functional Safety — Safety instrumented systems for the 
process industry sector — Part 3: Guidelines for the determination of the 
required safety integrity levels 

4. CON-PR-460, ‘SAMS (Safety Action Management System)’ 
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APPENDIX A - RISK GRAPH CRITERIA 


1.0 Introduction 


The Risk Graph is intended to allow the SIL assessment team to make objective 
judgements about the IPF in a consistent manner. In order to satisfy the overall 
project risk control objectives, the Risk Graph needs to be calibrated to satisfy 
corporate risk criteria, and to take account of risks from other sources. 


Calibration of the Risk Graph is a process of assigning numerical values to the main 
parameters. Each parameter has a range of an order of magnitude, which will 
produce a result within several orders of magnitude. For this reason, the risk graphs 
must be calibrated on a conservative basis to avoid the danger of under-estimating 
the unprotected risk and the amount of risk reduction required. 


This section describes a proposed set of criteria (HOLD 1) for the Risk Graph 
parameters to be used for the Qasr Compression Project. This is based on past 


industry experience and covers the following main parameters from IEC 61511 (Ref. 
2): 


° Consequence severity (no. of people affected & vulnerability); 
° Personnel exposure; 
° Alternatives to avoid danger; and 


e Demand rate. 


1.1 Consequence Severity 


1.1.1 Safety Consequence 


Table 1.1 Safety Consequences 


Potential Impact Description 
- No/slight effect First aid case and medical treatment case. Not affecting work 
performance or causing disability 


Sl Minor Injury Lost time injury. Affecting work performance such as restriction 
to activities or need to take a few days to fully recover (maximum 
one week) 


1D Serious injuries or 1 | Including permanent partial disability. Affecting work 

Death performance in the longer term, such as a prolonged absence 
from work. Irreversible heath damage. Total disability for a 
person, or a single fatality 


MD Multiple Deaths Multiple fatalities due to the incident (e.g. explosion) 
C Catastrophic Catastrophic event causing 10 or greater fatalities (e.g. large 
explosion) 
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When the safety conseguence is less than a minor injury, the integrity of loop does 
not need to be defined. 


1.1.2 Environmental Consequences 


The environmental conseguences are summarised in Table 1.2: 


Table 1.2 Environmental Conseduence Guidelines 


Potential Impact Description 


RR A quantifiable release requiring submission to relevant 
environmental regulatory authorities 
MT Major temporary | Major impact with potential environmental consequences lasting 
environmental impact | up to 3 months 
(up to 3 months) 


MP Major longer term | Major impact with potential environmental consequences lasting 
environmental impact | over 3 months 
(> 3 months) 


Venting of hydrocarbon gas is considered to be an acceptable mitigation measure 
during an emergency and therefore the environmental consequence is low. 


When the environmental consequence is less than a reportable release, the integrity 
of loop does not need to be defined. 


1.1.3 Financial Loss Consequence 


The financial loss consequence includes both the cost of repair/replacement of 
damaged equipment of parts (labour and parts) and the cost due to loss of 
production (or deferred production). 


The financial loss consequences are summarised in Table 1.3. 
Loss of asset 


When determining the financial loss, the cost of repair or replacing parts or 
equipment as well as the cost of labour to repair the equipment should be accounted 
for. The review should estimate the financial loss based upon the consequence and 
choose the corresponding consequence parameter. 


Loss of production 


Where the repair or replacement of equipment will require a shutdown, the loss of 
revenue due to loss of production should be included. When spares are provided, 
the damaged equipment can be repaired off-line whilst production is continued with 
the standby equipment and therefore there is no associated loss of production. 
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For each consequence parameter, the duration of shutdown is estimated that will 
correspond with the financial loss. 


Table 1.3 shows the equivalent financial loss parameter based upon the duration of 
shutdown. 


Table 1.3 Financial Loss Consequence Guidelines 


Parameter Production loss 

<M Loss value less than | Total shutdown disruption, e.g. less than 1 hour 
$1M 

MM Loss value between | Total shutdown, e.g. several hours 
$1M and $10M 

>M Loss value greater | Long term total shutdown, e.g. several days 
than $10M 

1.2 Personnel Exposure 


This is a consideration for safety to personnel only and is calculated by determining 
the length of time the area exposed to the hazard is occupied during a normal 
working period. If the time in the hazardous (i.e. exposed) area is different 
depending on the shift pattern then the maximum should be selected. It is only 
appropriate to use R where it can be shown that the demand rate is random and not 
related to situations where occupancy could be higher than normal. The latter is 
usually the case with demands which occur at equipment start-up or with 
maintenance operations. Personnel exposure parameters are shown in Table 1.4. 


Table 1.4 Personnel Exposure Parameter 


Parameter Production loss 

Rare to more frequent exposure in the hazardous zone. The occupancy level is less 

than 0.1. 

F Frequent to permanent exposure in the hazardous zone. The occupancy level is 
greater than 0.1 


The frequency of exposure is not a consideration when considering financial loss or 
environmental risk and therefore is not used in the risk graph for these issues. 


1.3 Probability of Avoidance 


This is the probability of avoiding the hazardous event if the protection system fails to 
operate. The probability of avoidance is generally the same for the safety, financial 
loss and environmental assessment. Probability of avoidance parameters are shown 
in Table 1.5. 
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Table 1.5 Probability of Avoidance Parameter 


Parameter Production loss 
P Possible 
NL Not Likely 


P is adopted if all of the conditions defined below are satisfied: 


° facilities are provided to alert the operator that the protection has failed; 


° independent facilities are provided to shut down such that the hazard 
can be avoided or which enable all persons to escape to a safe area; 
and 

° the time between the operator being alerted and a hazardous event 


occurring is definitely sufficient for the necessary actions. 
NL is adopted if any of the defined conditions above are not satisfied. 


1.4 Demand Rate 


To determine the demand rate of a trip function, it is necessary to consider all 
sources of failure that can lead to a hazardous event. In determining the demand 
rate, limited credit can be allowed for control system performance and intervention. 
The performance which can be claimed if the control system is not designed and 
maintained according to IEC 61511 is limited to below the performance ranges 
associated with IL 1. No risk mitigation can be taken for a control function if the 
hazardous event is dependent on its failure. The purpose of the demand factor is to 
estimate the frequency of the hazard taking place without the addition of the Safety 
Instrumented System (SIS) or relief valves. 


If the demand rate is very high (e.g.10 per year) the IL has to be determined by 
another method or the risk graph recalibrated. In this case the mode of operation is 
high demand or continuous as defined in IEC 61511, Clause 3.2.43.2 (Ref. 3). 

The demand rate is grouped in to three ‘bands” as shown in Table 1.6. 


Table 1.6 Financial Loss Consequence Guidelines 


Parameter Description Example 
High (H) Operator 
Low (L) PCS 
Very Low (VL) Demand rate less than 0.03 per year ESD 


1.5 IL Target Level 


The highest integrity level from the safety, financial loss and environmental 
assessments shall be selected as the required Safety Integrity Level. 
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For each of the safety instrumented functions operating in demand mode, the 
required IL shall be specified in accordance with levels as stated in Table 1.7 below 
(Ref. 2 & 3): 


Table 1.7 Probability of Failure on Demand for the IL1, 2, 3 and 4 


Parameter Production loss 
IL 4 >=10-5 to < 10-4 
IL 3 >=10-4 to < 10-3 
IL 2 >=10-3 to < 10-2 
IL 4 >=10-2 to < 10-1 
1.6 Nominal Demand Frequencies 


Nominal demand frequencies proposed for the IL specification are shown in Table 
1.8. 


Table 1.8 Nominal Demand Frequencies 


Initiating Event Nominal Frequency Demand 


Rate 
Human Error (Routine once per | 1/year H 
Human Error (Non routine , low | 1/10 Years L 
ie Pi 


Control Loop Failure 1/10 Years (Failure to designated position) L 


Control Loop Failure 1/100 Years (Failure to position opposite to | VL 
that designated) 


Large Fire 1/100 Years VL 


In the majority of events causing demand on the IPF, the event will be assigned a 
demand rate of L. Examples are given in Table 1.9 below. However, the meeting 
should consider if the demand rate should be increased or decreased depending on 
the specific circumstances of the demand. The IL worksheet should justify the 
choice of demand frequency when not taken as L (especially for H). 


Table 1.9 Nominal Demand Frequencies 


Event Demand Rate 


ESD valve fails closed 


Failure to clean strainer 


The consequence class shall be decreased by 1 step if the potential consequences 
are expected to occur in less than 1 out of 10 failures. Note however that the 
vulnerability factors for the health and safety already take into account the probability 
of ignition, so no further reduction shall be taken into account for this. 
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1.7 Mechanical Protective Systems 


Following specification of the initial integrity level, credit should be taken for the 
existence of mechanical protective systems providing protection against the 
identified hazard. 


An IL reduction of 2 can be taken when a full flow PSV is provided (without a 
bursting disc upstream). As a minimum, any high pressure trip that is provided as a 
protective system along with a mechanical protection shall be classified as IL 1 given 
that it also prevents the opening of a relief valve. The consequences of opening a 
relief valve are financial loss (cost to test and repair valve if opened), and 
environmental (venting of gas to atmosphere). 
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